DNSSEC validation

SIMON BABY simonkbaby at gmail.com
Tue Feb 13 21:33:10 UTC 2018

Hello Evan,

Thanks you so much for answering my questions. Inline my comments.

But why do you need your application to contain a recursive resolver?

1. Assume if I use an external recursive resolver and if that resolver does
not support DNSSEC, how can I validate the signature?

2. If I use an external resolver and if a hacker sits in between my system
and the external resolver, will it detect ?

3. When the external resolver resolve a query and when it response back to
the client , will it strip off the signatures? I assume the validation is
already done at the recursive resolver.

4. Can I integrate dnsmasq option with my client application? Any reference.

Thanks once again for your help and time.


On Tue, Feb 13, 2018 at 1:11 PM, Evan Hunt <each at isc.org> wrote:

> On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote:
> > My requirement is to implement only the recursive resolve and validation
> > part of the DNSSEC in my client application. Our CPU and memory are very
> > limited. So I am not sure I can go and use BIND 9.
> But why do you need your application to contain a recursive resolver?
> I can understand why you'd want a built-in validator, but you don't need
> to do full recursive resolution for that; you can send queries to an
> external resolver and then validate the responses.
> > With BIND 9, can I integrate the library in my application to send
> queries
> > and validate the answer in my client code itself. Can you please point if
> > any sample code.
> If you're content to do as I suggested above - send queries to an external
> resolver, validate the responses - then see the command 'delv' in the
> BIND 9 source tree; it does that.
> Implementing a full resolver with a library is possible in BIND 9.12,
> in which we spun off a lot of the name server code into a new libns
> library.  I can't point you to any sample code other than named itself,
> though.
> Given what you said about limited CPU and memory, I can't really recommand
> either solution. I'd probably just use dnsmasq and turn on its DNSSEC
> validation option.
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180213/aebac957/attachment.html>

More information about the bind-users mailing list